Why Are We *Still* So Stupid About Passwords?

Longtime information security dilemma: You can pick your friends, but you can't pick their password-creating practices.

Yet another study has revealed that people are picking millions of weak passwords. Password management software vendor Keeper Security reviewed 10 million passwords that came to light in 2016 via data breaches and found that nearly one in six were "123456."

"If the media stopped saying 'hacking' and instead said 'figured out their password,' people would take password security more seriously."

Keeper Security published a list of the top 25 most commonly used passwords, reporting that they account for more than half of the 10 million passwords it analyzed.

How many countless hours have been lost by security experts attempting to share with friends and loved ones the optimal secrets for picking passwords or helping to set up password management software to ensure they never reuse the same password across multiple sites?

The latest analysis of leaked passwords shows that in recent years, unfortunately, little has changed when it comes to how most people pick their passwords (see Why Are We So Stupid About Passwords?).

Part of the problem is perception, according to Khalil Sehnaoui, managing partner of information security firm Krypton. He says that the majority of what gets referred to today as "hacking" is really just attackers guessing passwords.

If the media stopped saying 'hacking' and instead said 'figured out their password', people would take password security more seriously.

Not So Secret: '18atcskd2w'

One interesting finding from the Keeper Security study is that across 10 million leaked passwords, the 15th most used one was "18atcskd2w." In a list populated by numeric sequences, "qwerty," "passwords" and "google," that's an obvious anomaly.

Source: Keeper Security

The prevalence of "18atcskd2w" was seen last year as well, after paid breach-reporting service LeakedSource in April detailed a February breach of Verticalscope.com that resulted in a dump of 45 million records relating to more than 1,100 websites and communities that the site runs, ranging from Techsupportforum.com and MobileCampsites.com to Pbnation.com and Motorcycle.com.

In the Verticalscope.com breach, 18atcskd2w was the second most common password used on the site. "What I believe happened is that these accounts were created by bots, perhaps with the intention of posting spam onto the forums," security expert Graham Cluley wrote in a blog post at the time.

Verticalscope.com subsequently confirmed the data breach, but it has yet to reveal the cause. Still, the organization reset all passwords and said that while it was "already using encrypted passwords and salted hashes to store passwords," it would also require users to follow stronger password rules, saying that "passwords now require a minimum of 10+ characters and a mixture of upper- and lower-case letters, numbers and symbols."

Stop Expiring Passwords

The service said it would also automatically expire passwords "to encourage more frequent password changes," but many security experts now say that forced password expiration puts users at greater risk. Indeed, last year, the U.K. government's National Technical Authority for Information Assurance, now the National Cyber Security Center, warned in its guidance: "It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack." It notes that related risks include users being more inclined to reuse passwords, write them down, base new passwords on old ones or to choose weaker, easier-to-remember passwords.

As a result, the NCSC noted it "now recommends organizations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords ... while doing little to increase the risk of long-term password exploitation."

Spear-Phishing Success Continues

Training users to expect that their passwords will need resetting puts them at greater risk from spear-phishing attacks, which remain highly effective and low-cost ways for sidestepping both sites that secure passwords well and users who pick strong passwords.

Take the Democratic National Committee, which was allegedly targeted by hacking teams sponsored by the Russian government that are often referred to as Cozy Bear and Fancy Bear. Thomas Rid, a professor of security studies at King's College London, noted in an October 2016 feature for Esquire that Fancy Bear targeted Gmail-using victims via spear-phishing emails that contained links shortened with the Bitly service that led to phishing sites designed to trick Gmail users into changing their password. In reality, however, the fake password-reset site was harvesting their passwords so attackers could use them to access their Gmail accounts.

Between October 2015 and May 2016 these attacks targeted 4,000 accounts and were wildly successful, with one in seven victims ultimately revealing their passwords," Rid writes. "Among the group's recent breaches were the German parliament, the Italian military, the Saudi foreign ministry, the email accounts of Philip Breedlove, Colin Powell and John Podesta - Hillary Clinton's campaign chairman - and, of course, the DNC."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.